Major universities hit by data breach affecting thousands of job applicants at top firms

Leading universities including Melbourne and Macquarie have become the latest victims of a major data breach at human resources firm PageUp, forcing them to suspend their job boards and urge applicants to check their affairs for unusual activity.

PageUp People, which manages recruitment for ASX200 firms including AMP, Telstra and Coles, revealed it had detected "unusual activity" on its IT infrastructure last month and received "some indicators that client data may have been compromised".

The breach is under investigation by the government-run Cyber Security Centre. PageUp advised there was "no evidence that there is still an active threat, and the jobs website can continue to be used" - though many of its clients were being more cautious.

The University of Melbourne was hit by the PageUp data breach.Credit:Simon Schluter

The University of Melbourne, ranked number one in Australia by Times Higher Education, disabled its links to PageUp's systems and is only accepting job applications by direct email. It urged existing applicants to check their affairs for any "unusual activity concerning personal information supplied during the recruitment process".

Advertisement

The Australian National University in Canberra was also hit by the breach. A spokeswoman said on Friday "we've been advised that our site is secure" and applicants could use site as normal, but they could also apply directly to the university if they wished.

RMIT University's job board remained completely shuttered on Friday afternoon, advising that PageUp "has been unable to advise the exact nature of the breach".

However, other universities have taken no action. Macquarie University made no mention of the PageUp data breach on its careers board, and applicants could still make applications through the university's website on Friday afternoon. Doing so takes applicants straight to a PageUp URL.

A Macquarie spokeswoman confirmed the university used PageUp's services but did not provide a statement before deadline. UNSW and the University of Tasmania are also affected.

"We are seeking information from PageUp as well as conducting our own investigations," a UNSW spokeswoman said.

"UNSW takes data security very seriously and has rigorous processes in place to ensure data is secure and protected."

The University of Sydney, the University of Technology and the University of Wollongong said they do not use PageUp.

Outsourcing recruitment to third parties is increasingly common among top firms and universities. PageUp also offers services in performance management, HR analytics and succession planning.

Online job boards for Coles and Telstra also remained down on Friday afternoon, replaced by similar statements assuring users it was not aware of any fraudulent activity as a result of the data breach.

Alastair Macgibbon, head of the Australian Cyber Security Centre, said investigations were ongoing. He was not aware of any fraud taking place as a result of the breach.

"Some form of malicious code has been executed inside PageUp's systems, which has led to persons unknown having access to information held by PageUp," he said.

"To my knowledge, we haven't seen any secondary victimisation but it might be too early to tell. We just don't know what people have accessed and what they've potentially taken."

PageUp, which is founded and run by Singapore-based Karen Cariss, was unable to comment before deadline.